Hacked by Syrians

ours too. we're completely pissed off at vBulletin. i honestly don't know what to say, seeing others are hacked too. unbelievable.

We've pushed out several announcements, and there are also guides on how to fix the problem. In order to protect your site, you need to be watchful of security announcements.

Make sure @vbulletin.com is an approved sender on your email account
You can follow @vBulletin and or @vBzachery for vBulletin related security tweets.
You can visit the vBulletin.com forum's and check the announcement forum.
You can login to your AdminCP to check for AdminCP news.


No one is perfect, and sometimes, we're going to make mistakes, or a bug in php/apache/etc is going to crop up that we couldn't foresee 3 years ago. The only thing we can do then is provide a patch, or instructions on how to prevent the issue from affecting you, nothing more. We take every action possible to fix and resolve issues within the software, but we depend on you taking action when notified.

We've been bogged down by our customers getting hit by it, trust me, we don't like it anymore than you. I'd gather that we dislike dealing with customers exploited sites a heck of a lot more than you do.

Zach, you and the fella's have been very proactive answering the questions on these hacks.

Guys - they are getting into your control panel by hacking an existing account and installing plugins or creating new admins to do it. Get your admins (not mods - just admins) to change your passwords to HARD passwords .... letters / numbers / etc.

Keep a fresh copy of your root directory and just do a fresh upload if this happens again ..... unless your database is affected which is unlikely the fix takes a few minutes in FTP. Wipe the current completely out and replace it is the fastest way. DB Managers can fiddle around and see what they did but non techy's won't find it - trust me. Just reinstall the root and be done with it. Then follow the posts to protect yourselves moving forward.

From someone who was hacked on Sept 11th, but fixed it.

I am passed any blame. I just need help fast. These people wiped out all the files in my directories. I need some help here on getting back what I can. I uploaded a new vbulletin 4.2.1 and initially ran the install on it. That gave me the forum, period. No users, no posts, no threads etc. We have a database back-up from a few days ago that my service provider put into a file for me but I have no idea what I am supposed to do to reconnect that database to this new forum? Right now I am not worried about styling etc I just want back my half a million posts and the 10,000 plus user profiles.

Am I supposed to run a fresh install? They wiped everything clean except two stupid webpages they created, which are gone out of there now. I need some help here

If you have downloaded a complete new set of files, then your config.php will be empty, you will need to populate your config.php with all your database details user pasword etc then run the upgrade script not the install remembering to delete the install directory when done.

Appreciate the info. Should I have not ran the install program the first time around then? Should I have just ran the upgrade instead? I initially ran the install before we had the old database restored. I did install the old config.php prior to running the install. So it was the one from before the hack. But now if I try to run the upgrade I get an error saying it cannot find the database ie my database as named previously. I am assuming thats because we need to move it to where it belongs

Yes you can only use the install script if it is a new install with a new (empty) database, if you want to use an existing database use the upgrade script after putting database details in the config.php

I have had a similar problem and posted it another thread but haven't had any real constructive help. I never had an install directory. I have re-installed Vbulletin and I still have the same problem so I presume its the database that has been hacked?

Two pages show up as not being 'dodgy' when checked from the admin CP are index.php and forum.php but I have just uploaded fresh ones as part of the install.

I run a nightly backup of the database as we have years of posts but its going to be of no use as it is as the 'infected' data will be in it.

Just use a backup from before the hack and a new set of files

Honestly, this is not completely VBs fault. I almost always rename/move that folder somewhere else, but I rsync'd it back at some point. There's no reason to leave it in there, you leave yourself open to all sorts of issues. Should their be a sql exploit? no. should you leave upgrade and install files lying around---absolutely not.

The only thing that was modified on mine -- 2 admin users created, removed both, then reverted the FORUMHOME display template. If you can't find a forumhome template, just go delete the users it created (select * from user where usergroupid = 6) [assuming your admin id = 6] find the ones that shouldn't be there and remove them. Then go edit your forumhome template and delete everything in there and put a message to your users that you're fixing it (i.e. Hey guys, hackers suck and so does the syrian army--will be back up soon).

If this helps anyone, which I doubt it will - here's the logs from mine where they were hitting me. I don't keep my control panel on /admincp - so I doubt they ever found it to do anything else.

[code]
199.21.99.70 - - [15/Sep/2013:06:48:48 -0400] "GET /threads/7091-XP-Reinstall/page2?s=f0a313c80a255651a67d562c62556362 HTTP/1.1" 200 16548 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
199.21.99.70 - - [15/Sep/2013:06:48:50 -0400] "GET /threads/7091-XP-Reinstall/page2?s=2c638cbf9f91a3921fb0af94903b49c1 HTTP/1.1" 200 16548 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
88.253.190.120 - - [16/Sep/2013:18:40:50 -0400] "GET /install/upgrade.php HTTP/1.1" 200 13856 "-" "-"
195.175.74.234 - - [16/Sep/2013:19:28:35 -0400] "GET /install/upgrade.php HTTP/1.1" 200 13800 "-" "-"
95.9.235.76 - - [16/Sep/2013:20:18:02 -0400] "GET /install/upgrade.php HTTP/1.1" 200 13856 "-" "-"
195.175.74.234 - - [17/Sep/2013:06:36:48 -0400] "GET /install/upgrade.php HTTP/1.1" 200 13800 "-" "-"
195.175.74.234 - - [17/Sep/2013:07:51:10 -0400] "GET /install/upgrade.php HTTP/1.1" 200 13800 "-" "-"
180.76.5.136 - - [17/Sep/2013:23:00:42 -0400] "GET /threads/7091-XP-Reinstall/page2?p=67938 HTTP/1.1" 200 15307 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
88.230.120.188 - - [19/Sep/2013:18:40:19 -0400] "GET /board/groups//install/upgrade.php HTTP/1.1" 404 455 "-" "-"
88.230.120.188 - - [19/Sep/2013:21:04:09 -0400] "GET /board/groups//install/upgrade.php HTTP/1.1" 404 455 "-" "-"
88.230.120.188 - - [19/Sep/2013:23:28:53 -0400] "GET /board//install/upgrade.php HTTP/1.1" 404 448 "-" "-"
88.230.120.188 - - [20/Sep/2013:03:53:47 -0400] "GET /board/groups//install/upgrade.php HTTP/1.1" 404 455 "-" "-"
65.254.32.18 - - [21/Sep/2013:05:27:36 -0400] "GET //install/upgrade.php HTTP/1.1" 200 13800 "-" "PHP/5.3.25"
91.144.37.46 - - [21/Sep/2013:05:31:46 -0400] "GET //install/upgrade.php HTTP/1.1" 200 3974 "http://www.557.com.au/innerstrength/logs/vbcostumer.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:48 -0400] "GET //cpstyles/vBulletin_3_Silver/controlpanel.css HTTP/1.1" 200 4345 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:48 -0400] "GET //clientscript/yui/connection/connection-min.js HTTP/1.1" 200 4807 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:48 -0400] "GET //clientscript/vbulletin-core.js HTTP/1.1" 200 15591 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:48 -0400] "GET //clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js HTTP/1.1" 200 20507 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:49 -0400] "GET //install/vbulletin-upgrade.js HTTP/1.1" 200 5909 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:52 -0400] "GET //cpstyles/vBulletin_3_Silver/cp_logo.gif HTTP/1.1" 200 8659 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:52 -0400] "GET //cpstyles/vBulletin_3_Silver/progress.gif HTTP/1.1" 200 1033 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:53 -0400] "GET //cpstyles/vBulletin_3_Silver/cp_button_bg.gif HTTP/1.1" 200 546 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:31:52 -0400] "GET //cpstyles/vBulletin_3_Silver/cp_navbody_bg.gif HTTP/1.1" 200 3053 "http://www.mysite.com//install/upgrade.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
91.144.37.46 - - [21/Sep/2013:05:33:13 -0400] "POST //install/upgrade.php HTTP/1.1" 200 554 "-" "-"
91.144.37.46 - - [21/Sep/2013:05:35:20 -0400] "POST /install/upgrade.php HTTP/1.1" 200 554 "-" "-"
91.144.37.46 - - [21/Sep/2013:05:35:33 -0400] "GET //install/upgrade.php HTTP/1.1" 200 3974 "http://www.557.com.au/innerstrength/logs/vbcostumer.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36"
88.230.120.188 - - [21/Sep/2013:09:50:50 -0400] "GET /board/groups//install/upgrade.php HTTP/1.1" 404 455 "-" "-"
46.197.69.42 - - [21/Sep/2013:10:04:29 -0400] "GET /board/groups//install/upgrade.php HTTP/1.1" 404 455 "-" "-"
183.60.244.44 - - [21/Sep/2013:13:20:22 -0400] "GET /a_d/install/data.sql HTTP/1.1" 301 490 "http://www.baidu.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
183.60.244.44 - - [21/Sep/2013:13:20:22 -0400] "GET /covers/a_d/install/data.sql HTTP/1.1" 404 405 "http://www.baidu.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
183.60.244.44 - - [21/Sep/2013:13:20:27 -0400] "GET /install/templates/step-1.html HTTP/1.1" 301 502 "http://www.baidu.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
183.60.244.44 - - [21/Sep/2013:13:20:27 -0400] "GET /covers/install/templates/step-1.html HTTP/1.1" 404 408 "http://www.baidu.com" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[/quote]

I've blocked (again) baidu spider.. that thing sucks anyway, but pay attention to the /install/upgrade.php hits.

in .htaccess add this:

you can change dontberetarded.htm to your own special file and message...

hope that helps someone.

And check for plugins they have planted, not just in "Manage Products" but also in the "Plug in Manager" and delete it.